HTTP.sys kerberos authentication fails with 401 code

0
votes

I have web application running on windows server 2016. In this app I use HTTP.sys with negotiate authentication enabled. I have also configured Active Directory and when I enter my site I see that web browser gets kerberos ticket and sends them to the server.

Here are my tickets which client sends to server

Negotiate YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/R/HCZKt14z4a61a6lLbfWAAgnZULHgxR+q7LepzlA9Ui9cLc4m+Gz13oDsdaaUuEXsk0SofRV34kCPDnjA4uesKxsj0ehf7KbDtDuWwjWbDsOhNXkB9iAoeyJaei33TKarQ/nLB0PqzObJe4GFZ950+Ex/9SFVnZtJkuyIAqnvYmlvTlOGE/6alIAOmaB/LGkMbXNNTtMp9UVmeWr3SaYnSdvG+uyQ6Pg9YsiTDP4nOZGxDyS13TIWju68BCDSQy4OwsQOpKDJxyx/Sjw4I9+LRxH2FQWGIFhdfTYw0/dJFlqDKh7mT7vy7O5Y4ugbcIQdCqpw0SRW4QhLZp34p4C6NSGdGovdSQvmrnMtDTqHIAY03fkiM/CdErgyPLLMwBFdvg/5CKACvqjmvB395b5l7asCUNFUU2JY61eJGNBnUou+TLqiKQ9+WV2++blTWHmM4VF0tmm0IoK60V1WJW/WYKWR9oLXiEkldy3c+Fye5qn/8qCdaZ/uf2SRQfobuNs3ZPeAw03ITMv5sKs6+qaCYAGSO4Krf8/uPQ5Z/oFE9VuTZQLpkqRzDMPsETEw9SYNZDuyIs9ygo6SPhjH5/e4tF8lJnydwMKmu+hnuaR9k603ZzdceoeaSib1rEW0N2lDbXlr3AGk8Fei2cxlJ/HvjFGNM2E+56L0SB/60Zye1LaitbwtaNmv0T+/3t/vkgQs56bSgIciIblccfwnNTiOdk2AsDjsnbwxO1rX7w+0m+KLPE2JZdVMcwK9qp7VSbZxhIIb7KHs//aBF2lNmGcuiIAI0zGhz3+OOJY3iLY4ILnqWdxZSuhxbSqdc3pwqADJpEDwtuop3FU7aeXggZb9FnPsnD6427uUJa3URf6ez/+81VPl8uZtyXJhEaurVsE476ovcdmFjlJDigys6qeVx5onajMGsj2oyscmbZzu7jBgajO/hdFU0YiJ6nU4lzkVO+FQLt653IJ+9IhPSCrldRPfb1U8G99GrWXDt709t3gWh3xRv9wE5eSDZZMkdz8RXTyG7EvPf3iBxzQJCMnR8ww1n6UA+IO9oqp0KRxuzcY7und5NEaseX9XQ5nxAdtaemq+SzK3nXVv1Fe4IepAJFM19ahrdt3zeAsJCgUbPlFYC9Vt9AGgwxgSIYOR00Atr2T29lrphhkq5xB3T5qkh8Yyiso95AsYAcjTNg5JIDzh7jfawDJvzkbwfYu1mLNzMuk28JNHIizk7Rx28r/pvf58De3qMvkvPOg+MkNOdqUdnVpLbk/pVver2VGJsoDkEqi0iZNL3u7wh59akp/Xb3XlxlrEVn1YIC9R+S59WigryrVkEn5V084VuEa3H2dv73i9/9Y+XLwZKfuyk08mta2+SudsztJ3HZwxZjj8gO5huZTRMS+W1VOselbEbE5ELHd3lctzd95jwpFTH11ZFY8hUqY4iGTytWqX9L5dtsI4no7/2oWIhs+vOgCKaSCATowggE2oAMCAReiggEtBIIBKfQ2v/IAW0nX32RRVsIGhcFG0OPJ86br4RuxUkHxZPEgNu4/vCKo5tc5AJOw7MxtN6H6nGjb9bxWtxVr41ht2thsH1aPf2Q+ytTb+4GHKLdJ4eTGNigBSW6mqkpYUdI4gA1nUdXrTxDPdv3EQGrCw8kF46M0LyX+/nSTxlIwUjSSAxKpUVkHgRo0h8bQHet7kEwKc+aDA+I21oi0UTRHP53V/BEcB+aUemLMNaRlb/rgTk7Hrc1bfED89GriTxwW4G4u6d+zb/2HW0VEq8/4RG5+BNQbGzEpem9PpLy8acrSCexhOMfi0qmoXjnZYIeliLvG1afBISf2wIFWZgOMVIRCVVqgvSHpThDbTosmktOUgN1mTv8dVjiEtd9bGZG8xvUxjVFj9kCTCg==
Negotiate oYIGJDCCBiCgAwoBAaKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/PeOWPJXLIwrvpt/aZTDV4PWnSZxOn2CI4SSdJLsr+cW3J80zBspFqb5Mw71hN7wGMtEs4+PS4fSKIl0ax3DPGzxN0b4DazI77m9WdlhBJMBwTl+A4OuxL4CifKCG5FEzqp9ojyDf9Dofpi2RIJWqZcV+S5svguNAczLGCLGMI///l0ukWfuuj2g+1HjK5A2U95NtwWINKwOfn4qEWdTVpZSK8ebB09S0dnabRJSUVN3gTS7ci1AibgMJ6dKuyZeMX0MR/+Byke8ukXEVHSTLuiqophTWYefjNHboSmJSk1CZKDXOCqnWdikDQ+H4+UaaOt+alTCXqu576yLeJ/lj9h+pYxzXm71XKhzF8YrGTxNUCIOZDY9nckaV3GeHCeavJnKdOB3s0uigutQlRBRtCMCyJ8+aTHU8s3/L/yJ2TDBDSPGjdq5tTv+7kkvmxJ9P5YZfPEzLMUzfstunPamvzoPJgo2ldyNPx4wncC6jhuoeEzG0ieNEAGMLjxAFlNmfeomWlLx67ZpeSXRTmTojWAYKKhw7Sqd74pr/ph4Tt8w2VWbZDA4Rru54mTb6LHRtvzqIO7a9gQiG29TsoyKtqtDU9MrOqJQAgfC+y3Zn6z/Ct4gBhyVnTStp4SM851Yl4WXpY+0pEedRZeNWtNDpmyhRrJ4sKuy0cJFbW+Q6D8u8N6KWMH42qOE92UEYTwgK31zLg5Pd3CvrzUzx6sOoIMOJRTrObQ2OEOsZerLaQY8Dznq901ZsLculzk+7czak9D9c6Rm4Ggwmu/to3kL+zO9991+ynWIvb0qEb16sgxTri9ONjVLOMhCdzx7HFp38qoQgCJTIZ/MhftwdC2bRVjAklvqLJypsg3r6opdwjd9IWSVZ0ZmLK5PuNDRxhafcl3NWpTFA3qYRO4m4kC+8n9aEV/fqWUcc5bP7BwWAuUkfHF5nl2vxAMLuXuGCKSoqIyJ9KD4uQp9WFZj2qfjFELNI3tESXCrCMbfIBQXeW/fp9kvehCeS2EDnFpiXdoS1gh6Db1qBigRP/Xq8FAfj0TnLxl7wXvjoTV+T40IyKHsMBtgzii47VmFxGIq09MFIqn7xSfEp7V9S83AaH9Oqp639Z+oP2lmO/9aTzG2klped9ZgT3OGLbiV8bsFnQRzFETv9JvF34NIednyyE8nDWPfrw6S92SKFPRPSfzeWF+xXj1vAe+zezjSgXg4V0R7mVaqsRYji6ACPBEdYYIvyjXML0W4pAskPpNAoCBo+1G0o9iivTpY13nbu8xqIfBmqLxxv3NkcDO0NRpmM2TTgJ2v4oSsr/i2sVJhtO7gsYuY4Qbe0Tfa8QnybIrbpX94Q7yiJYuXhpyg9SRXVVnHdz9Xd2DN9DSKhLPpVw0aM0I5GLGEs4drqURUqw5aSbGsKQtxGhS9CABCoolOzOADOLyE5w2BSJAS9mh41RyyP/ZwPdVX70QW5SKkOLFTRSAqSCATowggE2oAMCAReiggEtBIIBKauTrgRQ1E7PNtOmQ6B+T2eorUqcb/bR9QA71bekL9dw9GfFjiFsOk6W5NCFzlQNSkQqwRY1SsQ6HPfsdnRbMPJtlu4KghRXJcxj0ltyCQnsRvQy6AaBaS9Voy9O1njxITNUakbpT750fxnqgrGpoquHAYF+SmSknllTpxScxmg7pmJKGib0gfMfvjJTU6P8WfJVm7nM+rdDSyjgHEPTGsgpfpwpt9gCMSe44Qlct9x8337T4yowplz/oT66fNwh3rfHDOyJ6gI+0asYGYIubXj6SDyefyRRgNWNSL6v6e02i3NeuADubryAy9bl63RhADjhiKIli/MpP1sH3jMPuK0mpKHeP7VnYEP1zT/QQw3d3894xT61xEKwkZWqLHtXe4Mqet2Qqyn+zg==

After sending the second ticket to the server i get response with 401 error in it.

I use Network monitor and KerberosAuthenticationTester.exe for troubleshooting. Although it doesn't help.

I think that I have troubles with http.sys kernel mode authentication. I know that http.sys runs under system account and i have to register SPN for it but i don't know how to find out its name.

So I have two main questions. First is how to register SPN to make kerberos kernel mode authentication. And the second is how i can troubleshoot such issues. I did't find any way to watch logs of http.sys ticket validation process.

Here is list of all spns registered at my domain 

Object Name =  WIN-7371PG2MFIQ
DN      =       CN=WIN-7371PG2MFIQ,OU=Domain Controllers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       ldap/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 2 )   =       Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-7371PG2MFIQ.testing.com
SPN( 3 )   =       ldap/WIN-7371PG2MFIQ.testing.com/ForestDnsZones.testing.com
SPN( 4 )   =       ldap/WIN-7371PG2MFIQ.testing.com/DomainDnsZones.testing.com
SPN( 5 )   =       TERMSRV/WIN-7371PG2MFIQ
SPN( 6 )   =       TERMSRV/WIN-7371PG2MFIQ.testing.com
SPN( 7 )   =       DNS/WIN-7371PG2MFIQ.testing.com
SPN( 8 )   =       GC/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 9 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ.testing.com
SPN( 10 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ
SPN( 11 )   =       RPC/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 12 )   =       HOST/WIN-7371PG2MFIQ/TESTING
SPN( 13 )   =       HOST/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 14 )   =       HOST/WIN-7371PG2MFIQ
SPN( 15 )   =       HOST/WIN-7371PG2MFIQ.testing.com
SPN( 16 )   =       HOST/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 17 )   =       E3514235-4B06-11D1-AB04-00C04FC2DCD2/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035/testing.com
SPN( 18 )   =       ldap/WIN-7371PG2MFIQ/TESTING
SPN( 19 )   =       ldap/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 20 )   =       ldap/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 21 )   =       ldap/WIN-7371PG2MFIQ
SPN( 22 )   =       ldap/WIN-7371PG2MFIQ.testing.com

Object Name =  DESKTOP-8727TGP
DN      =       CN=DESKTOP-8727TGP,CN=Computers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       TERMSRV/DESKTOP-8727TGP
SPN( 2 )   =       TERMSRV/DESKTOP-8727TGP.testing.com
SPN( 3 )   =       RestrictedKrbHost/DESKTOP-8727TGP
SPN( 4 )   =       HOST/DESKTOP-8727TGP
SPN( 5 )   =       RestrictedKrbHost/DESKTOP-8727TGP.testing.com
SPN( 6 )   =       HOST/DESKTOP-8727TGP.testing.com

Object Name =  containerhost
DN      =       CN=containerhost,CN=Managed Service Accounts,DC=testing,DC=com
Object Cat. =  CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       HTTP/containerhost1.domain.test

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

Object Name =  krbtgt
DN      =       CN=krbtgt,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       kadmin/changepw
1
authenticationactive-directorykerberoswindows-authenticationhttp.sys

1 Answers

0
votes

You have the SPN attached to your Admin user. Kerberos works by encrypting the ticket to the the key (password) of the principal (user) that has the SPN attached. That means it's encrypted to the Admin user. 

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

Your IIS server has no knowledge of the user password so it has no way to decrypt the ticket.

What you need to do is REMOVE the SPN from the Admin user and ADD it to the computer principal running IIS. Note that you must remove it before you can add it to another principal.